AUSTRALIAN ACCESS FEDERATION
A Shibboleth SP vulnerability has been confirmed in the OpenSAML libraries affecting non-XML signature features in the Redirect and POST-SimpleSign bindings. This flaw exposes Shibboleth SP to critical SSO forgery/impersonation attacks.
If you use RapidConnect or OpenID Connect (OIDC) for your AAF service, you are not affected by this vulnerability.
Official advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt
Affected versions of Shibboleth SP: 3.5 or older
Recommendation
Linux users:
Please see recommendations from the official advisory https://shibboleth.net/community/advisories/secadv_20250313.txt to update to V3.3.1 (or later) of the OpenSAML library package.
This is typically achieved by using your package manager, i.e. yum update opensaml or yum update shibboleth. The shibd process will require a restart after the upgrade.
The OpenSAML version should be omitted in shibd logs (should be at least 3.3.1 to indicate the fix is applied). e.g.
2025-03-16 11:30:44 INFO OpenSAML.Config : opensaml 3.3.1 library initialization complete
Windows users:
Upgrade Shibboleth SP to 3.5.0.1 or newer
Upgrade advice for Windows, see https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335545/Install+on+Windows#Upgrades
Official Shibboleth SP release notes: https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335693/ReleaseNotes
Should you experience any difficulties, please contact AAF Support.
Email: [email protected] | Web: support.aaf.edu.au